Anti-malware system, method of processing packet in the same, and computing device

ABSTRACT

An anti-malware (AM) apparatus includes: a hardware-based firewall (FW) engine, including a packet matching engine configured to perform matching of a packet with a plurality of FW rules, and to generate a matching results; and an FW function module configured to determine an action for filtering the packet on the basis of the matching result.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims priority to and the benefit of U.S. ProvisionalPatent Application No. 61/727,917 filed on Nov. 19, 2012, the disclosureof which is incorporated herein by reference in its entirety.

BACKGROUND

1. Field

The present disclosure relates to a system for use in providing asecurity solution, and more particularly, to a system including ahardware-based firewall (FW) engine and to a method of processingpackets in such a system.

2. Discussion of Related Art

With the spread of the Internet, the number of pieces of malware ormalicious codes, for example, a computer virus, a worm, a Trojan horse,a spyware program, a rootkit, a distributed denial of service (DDoS)attack, etc., designed to perform a malicious action against a user'sintention, is drastically increasing, and, accordingly, there is agrowing need for an anti-malware (AM) solution for effective security ofa computer system.

In addition, with the widespread use of mobile devices such as asmartphone, a tablet, etc., it is deeply concerned that malware havingattacked personal computers (PCs) would also have severe harmful effectson the mobile devices. Thus, an effective AM solution is required forthe mobile devices as well.

An AM solution may include an FW solution for a personal FW. However,when the number of FW rules for packets increases in the personal FW,the time required for processing the packets increases. It is a crucialdisadvantage for an FW solution to have a long response time to a packettransmitted in a network. Also, in case of mobile devices havingrelatively many limitations on resources such as a central processingunit (CPU) and a battery, the longer the time for packet processing istaken, the faster the battery will deplete.

SUMMARY

One or more exemplary embodiments may overcome the above disadvantagesand other disadvantages not described above. However, it is understoodthat one or more exemplary embodiments are not required to overcome thedisadvantages described above, and may not overcome any of the problemsdescribed above.

The present disclosure is directed to performing certain operations forproviding a FW function at a high speed using a hardware-based FWengine, and to implementing other FW operations on a software level of aplatform including the FW engine so that various security solutions canbe provided.

Further, the present disclosure is directed to providing improved FWperformance with a computing device having limited resources.

According to an exemplary embodiment, there is provided an anti-malware(AM) apparatus, including: a hardware-based firewall (FW) engine,including a packet matching engine configured to perform matching of apacket with a plurality of FW rules, and to generate a matching result;and an FW function module configured to determine an action forfiltering the packet on the basis of the matching result.

According to an aspect of the AM apparatus, the packet matching engineincludes: a plurality of rule keys derived from the plurality of FWrules; a packet key converted from the packet; and one or more packetmatchers configured to compare the packet key with the plurality of rulekeys.

According to an aspect of the AM apparatus, each of said one or morepacket matchers includes a plurality of packet sub-matchers configuredto operate in parallel, and further configured to compare a subset ofthe plurality of rule keys with the packet key.

According to an aspect of the AM apparatus, the hardware-based FW enginefurther includes a packet stream capture unit, and the packet streamcapture unit is configured to extract data, related to the plurality ofFW rules, from the packet and to provide the extracted data to thepacket matching engine.

According to an aspect of the AM apparatus, the packet stream captureunit is further configured to extract the data from the packet so as toinclude data specific to at least one of a link layer protocol, anetwork layer protocol, and a transmission layer protocol.

According to an aspect of the AM apparatus, the plurality of FW rulesfurther include a uniform resource locator (URL) filtering rule; thehardware-based FW engine further includes a URL filter; the packetstream capture unit is further configured to extract a URL portion fromthe packet and to provide the extracted URL portion to the URL filter;and the URL filter is configured to perform matching of the URL portionwith the URL filtering rule.

According to an aspect of the AM apparatus, the plurality of FW rulesfurther include a content filtering rule; the hardware-based FW enginefurther includes a content filter; the packet stream capture unit isfurther configured to extract at least one of a keyword and a pattern,from the packet, and to provide to the content filter the extracted atleast one of the keyword and the pattern; and the content filter isconfigured to perform matching of the at least one of the keyword andthe pattern with the content filtering rule.

According to an aspect of the AM apparatus, the FW function module isimplemented as firmware.

According to an aspect of the AM apparatus, the FW function module isimplemented as an application, said application being executed by anexternal CPU in cooperation with the hardware-based FW engine.

According to an aspect of the AM apparatus, the hardware-based FW engineincludes a central processing unit (CPU) and a memory, and wherein thefirmware implementing the FW function module is stored in the memory.

According to an aspect of the AM apparatus, the hardware-based FW engineis integrated with a processor, and wherein the processor includes asecurity execution environment module configured to virtualize theprocessor into different processors respectively corresponding to anormal mode and a security mode.

According to an aspect of the AM apparatus, the virtualized processorcorresponding to the security mode is configured to execute anapplication received by the AM apparatus.

According to an aspect of the AM apparatus, the AM apparatus furtherincludes a storage device connected to the processor, wherein thesecurity execution environment module further virtualizes the storagedevice into different storage devices respectively corresponding to thegeneral mode and the security mode.

According to an aspect of the AM apparatus, the virtualized storagedevice corresponding to the security mode stores the plurality of FWrules.

According to another exemplary embodiment, there is provided a method ofprocessing a packet in an AM apparatus including: performing matching ofthe packet with a plurality of FW rules using a packet matching engineof a hardware-based firewall (FW) engine; generating a matching result;and determining, at an FW function module, an action for filtering thepacket on the basis of the matching result.

According to an aspect of the method, the matching of the packetincludes further includes: deriving a plurality of rule keys from theplurality of FW rules; converting a packet key from the packet; andcomparing, at one or more packet matchers of the packet matching engine,the packet key with the plurality of rule keys.

According to an aspect of the method, the method further includes:operating, in parallel, in each of said one or more packet matchers, aplurality of packet sub-matchers; and carrying out the comparing of thepacket key with the plurality of rule keys, at each of said one or morepacket sub-matchers, by comparing a subset of the plurality of rule keyswith the packet key.

According to an aspect of the method, the method further includesextracting, at a packet stream capture unit of the hardware-based FWengine, data, related to the FW rules, from the packet, and providingthe extracted data to the packet matching engine.

According to an aspect of the method, the extracting of the data fromthe packet at the packet stream capture unit is performed so as toinclude data specific to at least one of a link layer protocol, anetwork layer protocol, and a transmission layer protocol.

According to an aspect of the method, the method further includes:extracting, at the packet stream capture unit, a uniform resourcelocator (URL) portion from the packet; providing the extracted URLportion to a URL filter of the hardware-based FW engine; and matching,at the URL filter, the URL portion with a URL filtering rule of theplurality of FW rules.

According to an aspect of the method, the method further includes:extracting, at the packet stream capture unit, at least one of a keywordand a pattern from the packet; providing the at least one of the keywordand the pattern to a content filter of the hardware-based FW engine; andmatching, at the content filter, the at least one of the keyword and thepattern with a content filtering rule of the plurality of FW rules.

According to an aspect of the method, the method further includesproviding the FW function module implemented as firmware.

According to an aspect of the method, the method further includesproviding the FW function module as an application, said applicationbeing executed by an external CPU in cooperation with the hardware-basedFW engine.

According to an aspect of the method, the hardware-based FW engineincludes a central processing unit (CPU) and a memory, and wherein theproviding of the FW function module includes storing the firmware in thememory.

According to an aspect of the method, the method further includes: usinga security execution environment module to virtualize a processorintegrated with the hardware-based FW engine into different processorsrespectively corresponding to a normal mode and a security mode; whereinthe security execution environment module is included in the processor.

According to an aspect of the method, the method further includesexecuting an application using the AM apparatus on the virtualizedprocessor corresponding to the security mode.

According to an aspect of the method, the method further includesvirtualizing, at the security execution environment module, a storagedevice connected to the processor into different storage devicesrespectively corresponding to the normal mode and the security mode.

According to an aspect of the method, the plurality of FW rules arestored in the virtualized storage device corresponding to the securitymode.

According to still another exemplary embodiment, there is provided acomputing device, including: a CPU core, and an anti-malware (AM)apparatus configured to provide a security platform on which a firewall(FW) software application is executable, wherein the AM apparatusincludes: a hardware-based FW engine including a packet matching engineconfigured to perform matching of a packet with a plurality of FW rules,and to generate a matching result; and an FW function module configuredto determine an action for filtering the packet on the basis of thematching result.

Further details of various embodiments of the present disclosure aredisclosed in the following detailed description and the accompanyingdrawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other objects, features, and advantages of the exemplaryembodiments of the present disclosure will become more apparent to thosefamiliar with this field from the following detailed description whentaken in conjunction with the accompanying drawings, in which:

FIG. 1 is a diagram showing an example of an AM system that performs AMfunctions on the basis of hardware according to an exemplary embodimentof the present disclosure;

FIG. 2 shows a constitution of an AM module according to an exemplaryembodiment of the present disclosure;

FIG. 3 illustrates a non-isolated scheme of integrating an AM modulewith a processor according to an exemplary embodiment of the presentdisclosure;

FIG. 4 illustrates an isolated scheme of integrating an AM module with aprocessor according to an exemplary embodiment of the presentdisclosure;

FIG. 5 illustrates a security platform provided by an AM systemaccording to an exemplary embodiment of the present disclosure;

FIG. 6 is a diagram for illustrating operations of exemplary modules forproviding a FW function on a security platform according to an exemplaryembodiment of the present disclosure;

FIG. 7 shows a constitution of a hardware-based FW engine according toan exemplary embodiment of the present disclosure;

FIG. 8 shows exemplary data structures of a packet key and a rule keyfor use in a packet matching engine according to an exemplary embodimentof the present disclosure;

FIG. 9 shows a constitution of a packet matching engine according to anexemplary embodiment of the present disclosure;

FIG. 10 shows a constitution of a packet sub-matcher according to anexemplary embodiment of the present disclosure;

FIG. 11 is a diagram illustrating a process for a packet stream captureunit to convert an Ethernet frame according to an exemplary embodimentof the present disclosure; and

FIG. 12 shows a constitution of a uniform resource locator (URL) filteraccording to an exemplary embodiment of the present disclosure.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

Exemplary embodiments of the present disclosure will be described indetail below with reference to the accompanying drawings. However, theembodiments are merely examples and are not to be construed as limitingthe present disclosure.

Various details already understood by those familiar with this fieldwill be omitted to avoid obscuring the gist of the present disclosure.Terminology described below is defined considering functions in thepresent disclosure and may vary according to a user's or operator'sintention or usual practice. Thus, the meanings of the terminologyshould be interpreted based on the overall context of the presentspecification.

The spirit of the present disclosure is determined by the claims, andthe following exemplary embodiments are provided only to efficientlydescribe the spirit of the present disclosure to those of ordinary skillin the art.

FIG. 1 is a diagram showing an example of an AM system that performs AMfunctions on the basis of hardware according to an exemplary embodimentof the present disclosure.

An AM system 100 includes a processor 110 such as an applicationprocessor, a storage medium 120 such as a read-only memory (ROM) and/ora random access memory (RAM), and a bus 130 that connects varioushardware components including the storage medium 120 to the processor110. The processor 110 may include at least one CPU core 140. Thestorage medium 120 may include many different types of storage mediahaving different performance characteristics. The bus 130 may include amemory bus or memory controller, a peripheral bus, and a local bus usingany of various bus architectures.

The storage medium 120 of the AM system 100 is configured to storeinstructions executable by a processing unit such as the processor 110.For example, the instructions stored in the storage medium 120 mayinclude instructions of an operating system (OS) for operating thevarious components, and instructions of AM software running on the OS.As will be described later, the AM software may be configured to provideAM functions to a user of the AM system 100. In certain embodiments,drivers for the hardware components, libraries, firmware, and varioustypes of application software may be stored in the storage medium 120.In accordance with different embodiments, the drivers, the libraries,the firmware and/or the application software may be stored in adifferent storage medium.

The AM system 100 further includes an AM module 150 for malwaredetection. As shown in FIG. 1, the AM module 150 may be included in theprocessor 110. The AM module 150 is connected through the bus 130 to theCPU core 140 and the storage medium 120. The AM module 150 includes atleast one hardware-based engine, for example, an anti-virus (AV) engine160 and/or a firewall (FW) engine 170. The AV engine 160 may performhash matching on certain data for AV scanning of the data. The FW engine170 may perform an FW function of filtering a packet. In a certainexemplary embodiment, the AM module 150 may be configured in the form ofa system-on-chip (SoC). Such a SoC is configured as a single chip havinghardware logic and firmware for malware detection. In another exemplaryembodiment, the AM module 150 may be configured in the form of hardwarelogic (e.g., the AV engine 160 and/or the FW engine 170) only and maycooperate with certain software (e.g., an application) executed by anexternal CPU for malware detection.

The exemplary AM system 100 may be included in a computing device havingstored thereon data and/or files to be scanned. The computing device maybe a mobile device, such as a smartphone or a tablet, etc., an embeddeddevice, a desktop computer, or so on.

The exemplary AM module 150 may be constituted in various ways. Forexample, as shown in FIG. 2, the AM module 150 includes the AV engine160 and the FW engine 170. In addition, the AM module 150 may furtherinclude an AV reset unit 210 and an FW reset unit 220.

In FIG. 2, the AV engine 160 and the FW engine 170 may operateindependently of each other. The AV engine 160 reads data (e.g., thewhole or a part of a database or a file) in word units (e.g., fourbytes) from a master device (e.g., the storage medium 120 of the AMsystem 100) external to the AM module 150 through a first interface 230.The external master device may control the AV engine 160 and check astate of the AV engine 160 through a second interface 240, and controlthe FW engine 170 and check a state of the FW engine 170 through a thirdinterface 250. The AV engine 160 and the FW engine 170 output an AVinterrupt signal 260 and an FW interrupt signal 270, respectively.

The AV engine 160 and the FW engine 170 receive a clock signal HCLK 280.FIG. 1 shows that the clock signal 280 is used in common for the AVengine 160 and the FW engine 170, which is, however, merelyillustrative.

The AV reset unit 210 may receive a software reset request signal 214from the AV engine 160 and a system reset input signal HRESETn 290 froman external of the AM module 150 to provide an AV reset signal 212 tothe AV engine 160. The FW reset unit 220 may receive a software resetrequest signal 224 from the FW engine 170 and the externally appliedsystem reset input signal 290 to provide an FW reset signal 222 to theFW engine 170. FIG. 1 shows that the system reset input signal 290 isused in common for the AV reset unit 210 and the FW reset unit 220,which is, however, merely illustrative.

Certain exemplary embodiments involve integration of the AM module 150and the processor 110. The AM module 150 may be integrated with theprocessor 110 in various ways. For example, as shown in FIG. 3 and FIG.4, the AM module 150 may be integrated into the processor 110.

As an example, the AM module 150 illustrated in FIG. 3 is integratedwith the processor 110 such that it can use the CPU core 140 in theprocessor 110 and a designated area of a certain memory (e.g., thestorage medium 120) through the bus 130. This is referred to as anon-isolated scheme. According to the non-isolated scheme, the AV engine160 and the FW engine 170 of the AM module 150 are connected to the CPUcore 140 of the processor 110 through the bus 130, and also connected toan external memory (e.g., the storage medium 120) through the bus 130.The AM module 150 of FIG. 3 may have an additional engine (e.g., acrypto engine 310), which is also connected to the CPU core 140 and thestorage medium 120 through the bus 130. According to the non-isolatedscheme, the AM module 150 may enable relatively rapid data detectionusing the CPU core 140 of the processor 110.

As another example, the AM module 150 illustrated in FIG. 4 isintegrated with the processor 110 according to an isolated scheme. TheAM module 150 itself of FIG. 4 includes a CPU 440 and a memory 450.According to the isolated scheme, the AM module 150 may use the CPU 440and the memory 450 to reduce use of the CPU core 140 of the processor110. According to the scheme shown in FIG. 4, the AV engine 160 and theFW engine 170 of the AM module 150 are connected through an internal bus460 to the CPU 440, the memory 450, and an interface 430. The interface430 connects the AM module 150 to the CPU core 140 and the storagemedium 120 through the bus 130. Likewise, an additional engine (e.g., acrypto engine 410) included in the AM module 150 may be connectedthrough the bus 460 to the interface 430, the CPU 440, and the memory450 in the AM module 150. Alternatively, another engine (e.g., a cryptoengine 420) located outside the AM module 150 may be directly connectedto the bus 130 to use the CPU core 140 of the processor 110.

Meanwhile, a dotted line 480 of FIG. 4 denotes that the AM module 150may be integrated with a modem 470 external to the processor 110.According to such a modem integration scheme, the AM module 150 ispresent between a network stack of the OS (not shown) and the modem 470,and may be used to detect a harmful packet for the security of the AMsystem 100 including the AM module 150. Further, according to the modemintegration scheme, the usage of the CPU core 140 of the processor 110is low. In this case, the AM module 150 may directly receive a networkpacket through the modem 470 and process the packet in the transportlayer.

Alternatively, a dotted line 490 of FIG. 4 denotes that the AM module150 is integrated with the processor 110 while the modem 470 isconnected to the processor 110 through the bus 130. In this case, sincethe AM module 150 serves as a coprocessor (e.g., the CPU 440) in the AMsystem 100, the AM module 150 may detect a packet for use in the CPUcore 140 of the processor 110, thereby facilitating network packetprocessing over layers including the application layer to the transportlayer.

FIG. 5 illustrates a security platform provided by an AM systemaccording to an exemplary embodiment of the present disclosure.

An exemplary security platform 500 includes a hardware level and asoftware level. Sub-modules of each level may be modified or extendedaccording to the design of the platform 500. Such modules implementcertain functions to be performed on the platform 500. In other words,certain functional modules operate on the platform 500. These functionalmodules are implemented at the hardware level or the software level ofthe platform 500. For example, the FW function may be performed on theplatform 500, and to this end, the platform 500 operates a certain FWfunction module. Using the FW function module, an application (e.g., anFW application 540) may be executed at the software level of theplatform 500.

In the hardware level of the platform 500, a hardware-based FW engine170 is included. An exemplary constitution of the hardware-based FWengine 170 will be described later. In the hardware level of theplatform 500, an AV engine 160 may be further included, and a cryptoengine(s) 310, 410, and/or 420 for performing an encryption function maybe additionally included. The constitution of the platform 500 will bedescribed below particularly in terms of the FW function among thefunctions of the platform 500.

In the hardware level of the platform 500, FW firmware 510 may befurther included. At the hardware level of the platform 500, the FWfirmware 510 implements a functional module that performs certainoperations for the FW function. The instructions of the FW firmware 510may be stored in a certain memory and executed by a certain processingunit. For example, when the AM module 150 including the FW engine 170 isintegrated with a processor 110 according to the isolated scheme, theinstructions of the FW firmware 510 may be stored in the memory 450 ofthe AM module 150 and executed by the CPU 440 of the processor 110. Byway of another example, when the AM module 150 including the FW engine170 is integrated with the processor 110 according to the non-isolatedscheme, the instructions of the FW firmware 510 may be stored in thestorage medium 120 and executed by the CPU core 140 of the processor110. However, it will be understood that the foregoing examples areillustrative and that variations may be made therein.

The software level of the platform 500 includes a driver 520, a library530, and a FW application 540. The instructions of the driver 520, theinstructions of the library 530 and the instructions of the FWapplication 540 may be stored in a certain memory (e.g., the storagemedium 120) and executed by a certain processing unit (e.g., theprocessor 110). A functional module for performing certain operationsfor the FW function is implemented as software by the driver 520 and/orthe library 530. Also, the driver 520 provides an interface with thehardware level of the platform 500. The FW application 540 is softwarefor providing an FW solution on the basis of the platform 500. The FWapplication 540 may use and/or control the platform 500 through, forexample, an application programming interface (API) provided by thelibrary 530, and receive an output from the platform 500 using acallback function.

In the platform 500, the firmware 510, the driver 520, and/or thelibrary 530 may implement operations that need to be frequently updatedto cope with new malicious codes and strengthen security. According tohow closely the AM module 150 is related with the processor 110 (e.g.,how the AM module 150 is integrated with the processor 110), anoperation to be performed on the platform 500 may be implemented infirmware at the hardware level or in a driver or a library at thesoftware level.

In a certain exemplary embodiment, the hardware-based FW engine 170performs packet matching operations of matching a certain rule with apacket on which a filtering action (e.g., allowing, dropping, or loggingof the packet) will be performed. Also, the hardware-based FW engine 170may perform uniform resource locator (URL) filtering operations, contentfiltering operations, and packet stream capture operations. The URLfiltering operations include operations of matching URL filtering ruleswith a URL of a hypertext transfer protocol (HTTP) packet or apoint-to-point tunneling protocol (PPTP) packet. The content filteringoperations apply content filtering rules regarding a specific keyword,pattern, etc. to packets including content such as document and imagefiles, and may be performed in a way similar to the URL filteringoperations. The packet stream capture operations include operations ofconverting a packet incoming from or outgoing to a network medium intoan appropriate format for operations of the FW engine 170.

When the AM module 150 is integrated with the processor 110 according tothe isolated scheme, some processing operations related to the aboveoperations may be implemented by the FW firmware 510 at the hardwarelevel. For example, certain operations for analyzing a packet may beimplemented by the FW firmware 510, and other processing operations maybe implemented by the library 530 and/or the driver 520. The operationsof the FW function module implemented as the FW firmware 510 includepacket filtering operations of causing the packet matching operations toinitiate and determining an action for filtering a packet on the basisof results of the packet matching operations, and/or transmissioncontrol protocol (TCP) verification operations of tracking a TCPconnection state according to an analysis of a TCP packet.

Alternatively, certain processing operations including the packetfiltering operations and/or the TCP verification operations may beimplemented as software by the driver 520 and/or the library 530. Forexample, when the AM module 150 is integrated with the processor 110according to the non-isolated scheme, the platform 500 may be configuredin this manner.

A security solution based on the platform 500 may enable respectivevendors to make the best use of advantages of the hardware-based AMmodule 150 in the course of developing various applications (e.g., theFW application 540). Thus, for the security solution, hardware-basedimprovement in its performance can be achieved while its unique securityfunctions can be implemented as software.

Furthermore, the platform 500 may involve an enhanced securitystructure. A computing device including an AM system 100 that providessuch a platform 500 is improved in the stability of security.

In an exemplary embodiment, a module 550 for providing a securityexecution environment to the hardware level of the platform 500 isincluded in the hardware level of the platform 500. The securityexecution environment module 550 may be included in the processor 110integrated with the FW engine 170. The security execution environmentmodule 550 may support platform authentication, generation/storage of ameasurement value for integrity check, protection of data storage, andso on. The security execution environment module 550 interfaces with ahigher level function (e.g., the FW function provided by the driver 520and/or the library 530) through a security execution environment driver560 and/or a security execution environment library 570.

The security execution environment module 550 allows the operatingenvironment of (the CPU core 140 and/or the CPU 440 of) the processor110 to have a normal mode and a security mode, and virtualizes theprocessor 110 into two processors corresponding to the respective modes.Applications at the software level of the platform 500 are executed onthe virtualized processor corresponding to the normal mode or thesecurity mode. In other words, applications at the software level of theplatform 500 are logically classified as either normal or securityapplications, where the normal application and the security applicationmay be respectively executed on the two virtualized processors as ifthey were executed on two separate processors. For example, the FWapplication 540 using the AM system 100 is executed on the virtualizedprocessor corresponding to the security mode.

The security execution environment module 550 logically partitions astorage device or a peripheral device connected to (the CPU core 140and/or the CPU 440 of) the processor 110, as well as the processor 110,and virtualizes the storage device or the peripheral device into devicescorresponding to the respective modes.

Such logical partitioning enables the following. First,security-critical portions, for example, a certain library and/or driver(e.g., the library 530 and/or the driver 520), a key, FW rules, a virussignature database, etc., may be stored in the virtualized storagemedium corresponding to the security mode. When the stored libraryand/or driver is installed or updated, performing an integrity checkingprocess through a mechanism such as electronic signature, etc. mayprevent the contents of the library and/or driver from being tamperedwith or damaged or from being improperly updated. Likewise, when thevirus signature database and the FW rules are updated, the tampering andimproper update of their contents can be prevented. Also, it is possibleto prevent the library, the drive, the FW rules, and the virus signaturedatabase from being updated by a source posing as a trustworthy updateserver. Furthermore, a process for authenticating an applicationoperating in the normal mode may be executed in the security mode so asto prevent the application from being tampered with.

FIG. 6 is a diagram for illustrating operations of exemplary modules forproviding the FW function on a security platform according to anexemplary embodiment of the present disclosure.

A computing device 600 includes the AM system 100 that provides theplatform 500 described above. The computing device 600 includes anetwork interface card (NIC) 610. Through the NIC 610, a packet is inputfrom a network medium or output to the network medium. The NIC 610belongs to the hardware level of the platform 500 implemented in thecomputing device 600. A kernel space including service modules executedon an OS of the computing device 600 and a user space includingprocesses called/performed by a user in the computing device 600correspond to the software level of the platform 500. A kernel networkprotocol stack 620 as well as the driver 520 may be included in thekernel space. The kernel network protocol stack 620 is a network stackof the OS, and delivers a packet to be filtered to a module at thesoftware level (e.g., a filtering manager that will be described later)so that the packet can be allowed or dropped. In addition to the library530 and the FW application 540, an application 630 executed by the userof the computing device 600 may be included in the user space. Anexample of the application 630 may be a web browser, an instantmessenger, etc. using packet data.

A packet incoming from the network medium through the NIC 610 may bedelivered to the application 630 via the kernel network protocol stack620, and a packet generated by the application 630 may be output to thenetwork medium via the kernel network protocol stack 620 and the NIC610.

The FW application 540 provides a unique FW solution related to such apacket. The FW application 540 uses and/or controls the FW engine 170and other FW function modules (e.g., the FW firmware 510, the driver520, and/or the library 530) based on the FW engine 170. The library 530is an interface between the FW application 540 and the driver 520, andthe driver 520 communicates with the library 530 through an AM manager640 of the driver 520.

The driver 520 includes an FW manager 650, a filtering manager 660, aTCP verification manager 670, and a hardware abstraction module 680, aswell as the AM manager 640.

The FW manager 650 controls FW function modules and queries theirstates. Also, the FW manager 650 may register a network packet hookfunction in a certain module (e.g., a netfilter module) in the kernelnetwork protocol stack 620 and release the function from the module.

Also, the FW manager 650 may insert and delete FW rules. The FW rulesinclude packet matcher rules, URL filtering rules, and/or contentfiltering rules. A database of the FW rules may be managed according tothese types of FW rules.

The packet matcher rules may be stored in the FW engine 170 in the formof a processed key. For example, a maximum of 512 packet matcher rulesmay be set to support Internet protocol version 4 (IPv4), and a maximumof 256 packet matcher rules may be set to support both of IPv4 andInternet protocol version 6 (IPv6). One URL filtering rule may bedivided into two filtering rules. For example, on the basis of acharacter “/,” two filtering rules respectively corresponding to adomain name portion and a path portion may be derived. The contentfiltering rules may be related to a keyword, a pattern, etc. included ina document or an image file.

The FW rules may be inserted in the hardware abstraction module 680. TheFW rules may be inserted in priority order of the FW rules. For example,the packet matcher rules may have the following two types. First, packetmatcher rules of a conditional rule type include condition 1 rules andcondition 2 rules. According to the conditional rule type, when acondition of a condition 1 rule is satisfied, a condition2 rule isactivated for a predetermined time. Secondly, packet matcher rules of ageneral rule type have no relationships between several rules. Condition2 rules have the highest priority among the rules. Condition 1 rules andgeneral rules have the same priority, and a first-inserted one of thegeneral and the condition 1 rules has a higher priority. The rules areinserted into the hardware abstraction module 680 in a descending orderof priority. Meanwhile, with the insertion of the FW rules, a datastructure called a rule mapping table may be generated, which is used torefer to an action according to a result of matching, performed by theFW engine 170, of a packet with a rule.

The filtering manager 660 is a module that analyzes a packet anddetermines a filtering action for the packet. Further, the filteringmanager 660 inserts a packet into the hardware abstraction module 680,and requests matching between the packet and FW rules. As an example,the filtering manager 660 allows analysis of a packet delivered from thekernel of the OS to be performed, and determines a filtering actionaccording to results of the analysis. For example, through thedetermination, packet filtering may be performed according to an IPblacklist and/or an IP whitelist. As another example, the filteringmanager 660 may check whether or not a TCP packet is an HTTP requestmessage packet, and then allow a URL filtering operation to beperformed. Content filtering may also be performed in a similar way.

The TCP verification manager 670 analyzes a TCP packet and tracks a TCPconnection state. Using such tracking, verification of the correspondingpacket is performed. The TCP verification manager 670 may track the TCPconnection state according to a previously-defined finite state machine.Also, according to the TCP connection state, the TCP verificationmanager 670 may allow dynamic packet filtering to be performed, or maydetermine whether or not the connection state is normal and causeabnormal traffic to be blocked.

The hardware abstraction module 680 sets the FW engine 170 and checks astate of the FW engine 170. The hardware abstraction module 680 requestsmatching from the FW engine 170, and then receives match results. Thehardware abstraction module 680 inputs, into the FW engine 170, a packetto be filtered and FW rules to be matched with the packet so that thematching between the packet and the FW rules is performed in the FWengine 170. For example, the packet and the FW rules may be convertedinto keys at the hardware abstraction module 680 and inserted in the FWengine 170, or may be converted into keys at the FW engine 170.

The hardware-based FW engine 170 is a module that performs operationsfor use in providing FW functions on the basis of hardware as mentionedabove. For example, according to the hardware constitution shown in FIG.7, the hardware-based FW engine 170 includes a packet matching engine710 that performs packet matching operations, a URL filter 720 thatperforms URL filtering operations, and a content filter 730 thatperforms content filtering operations. Also, the FW engine 170 mayfurther include a packet stream capture unit 740 for converting a packetinto an appropriate format for the operations.

The packet matching engine 710 performs a packet matching operation,which is a basic operation for FW functions. The matching operationbetween a packet to be filtered and FW rules may involve comparisonbetween a packet key converted from the packet and a rule key derivedfrom the FW rules. For example, a packet key input to the packetmatching engine 710 may be 128 bits or 256 bits. Rule keys that arestored in the packet matching engine 710 and compared with the packetkey of 128 bits or 256 bits may be 512 160-bit keys or 256 320-bit keys,respectively.

FIG. 8 shows exemplary data structures of a packet key and a rule keyused in a packet matching engine according to an exemplary embodiment ofthe present disclosure.

In FIG. 8, a packet key data structure 810 is a structure of the 128-bitpacket key illustrated above. The packet key data structure 810 includes96-bit Packet Content and two 16-bit comparison areas (i.e., Range 0 andRange 1). In the 96-bit Packet Content, the 94 upper bits stores packetcontent, and the two lower bits are dummy bits and stores results ofcomparing the comparison areas of a packet key and those of a rule key.Meanwhile, a rule key data structure 820 has the following format. Therule key data structure 820 is a 160-bit rule key corresponding to 128bits that is an aforementioned packet key size, and includes 96-bit RuleContent and two 32-bit comparison areas (i.e., Range 0 and Range 1). Inaddition, the rule key data structure 820 includes a 32-bit rule contentmask for a given rule key. Thus, the rule key data structure 820 has atotal of 196 bits. In the Rule Content, the 94 upper bits stores rulecontent, and the two lower bits denote a mask related to the comparisonareas.

A packet key and rule keys are stored in the packet matching engine 710.In particular, the packet matching engine 710 may include a rule keymemory (not shown) for storing a plurality of rule keys to be comparedwith the packet key. The rule key memory may be one array, or may beimplemented in the form of a plurality of arrays. For example, the rulekey memory may be configured with two arrays of 192 bits×256 bits tostore 512 160-bit rule keys and 32-bit content masks of the respectiverule keys.

In a matching operation between a packet and FW rules, a mask is used tocompare a packet key with some rule keys and/or only compare the packetkey with some bits. instead of comparing the packet key with all rulekeys bit by bit. In addition to the rule content mask of FIG. 8, a RuleRow Mask and a Rule Column Mask may be included in the packet matchingengine 710. The Rule Row Mask and the Rule Column Mask may be stored inthe rule key memory, or stored separately from the rule key memory.

When the rule key memory is configured with two arrays of 192 bits×256bits as mentioned above, a 256-bit Rule Row Mask may be used for eacharray, and a 96-bit Rule Column Mask may be used for rule content bitsof rule keys stored in the arrays. For example, a rule key correspondingto a bit set to 1 in the Rule Row Mask is compared with the packet key,and the rule key is compared with the packet key at every bitcorresponding to a bit set to 1 in the Rule Column Mask.

FIG. 9 shows a constitution of a packet matching engine according to anexemplary embodiment of the present disclosure.

The packet matching engine 710 includes a control block 910 and one ormore packet matchers 920 and 930. Each of the packet matchers 920 and930 may include a plurality of packet sub-matchers 940 ₁, 940 ₂, . . . ,940 _(i), 940 _(i+1), 940 _(i+2). . . . , and 940 _(i+n).

The control block 910 controls the packet matching engine 710 and storesa state of the packet matching engine 710. The control block 910generates an address signal and a control signal of the rule key memoryof the packet matching engine 710. Also, the control block 910 storesresults of comparing, at the packet matchers 920 and 930, a packet keyand a rule key. In a certain exemplary embodiment, the control block 910may include a register for storing a Rule Row Mask and a Rule ColumnMask.

The packet matching engine 710 shown in FIG. 9 includes the two packetmatchers 920 and 930. For example, a packet key of the aforementioned128-bit data structure may be input to the respective packet matchers920 and 930. Also, the rule key memory of the packet matching engine 710may be divided into two arrays of 192 bits×256 bits, and the two arraysmay correspond to the packet matchers 920 and 930, respectively. In acertain exemplary embodiment, the respective arrays may be included inthe corresponding packet matchers 920 and 930. However, such aconfiguration of the rule key memory is merely an example. The rule keymemory of the packet matching engine 710 may be used to store 512160-bit rule keys or 256 320-bit rule keys according to a setting of auser.

In a certain exemplary embodiment, each of the packet matchers 920 and930 may include eight packet sub-matchers (e.g., for the referencenumerals 940 ₁, 940 ₂, . . . , 940 _(i), 940 _(i+1), 940 _(i+2). . . . ,and 940 _(i+n) indicating the packet sub-matchers shown in FIG. 9,i=n=8). In the respective packet matchers 920 and 930, 256 rules keysare divided into eight groups. Each of the total of 16 packetsub-matchers 940 ₁ to 940 _(i+n) compares 32 rule keys with a packetkey.

A packet of each of the packet matchers 920 and 930 is input to thepacket sub-matchers 940 ₁ to 940 _(i+n) included in the packet matcher920 and 930, and the address signal and the control signal of the rulekey memory are generated by the control block 910 and input to thepacket sub-matchers 940 ₁ to 940 _(i+n). Each of the packet sub-matchers940 ₁ to 940 _(i+n) loads a rule key stored in the rule key memoryaccording to the address signal and performs a logical operation ofcomparing the loaded rule key with a packet key.

The aforementioned address signal and/or control signal may beconcurrently input to the packet sub-matchers 940 ₁ to 940 _(i+n). Inthis case, the 16 packet sub-matchers 940 ₁ to 940 _(i+n) in theexemplary packet matching engine 710 may perform matching between thepacket and the rules by performing the logical operation of comparing arule key with the packet key in parallel. The operation rate of thepacket matching engine 710 varies according to the number of rule keyscompared by the packet sub-matchers 940 ₁ to 940 _(i+n) of the packetmatching engine 710. For example, when three clocks are required tocompare one rule key with a packet key, the respective packet matchers920 and 930 process 256 rule keys with 96 (=(256/8)*3) clocks. Whenmulti-matching is enabled in this manner, even if the number of rulesincreases, the time required for such matching may be reduced. A memoryfor the multi-matching may have the structure of a content associativememory (CAM). When a packet key is input to the memory of the CAMstructure and then a rule key that matches the input packet key isdetected in the memory, an address indicating a position at which therule key is stored may be output. Each of the packet matchers 920 and930 may further include a result block (not shown). In the result block,results of the logical operations performed by the packet sub-matchers940 ₁ to 940 _(i+n) are stored. The control block 910 of the packetmatching engine 710 may receive the results stored in the result blocks.

FIG. 10 shows a constitution of a packet sub-matcher according to anexemplary embodiment of the present disclosure. FIG. 10 shows aconstitution of the packet sub-matcher 940 ₁, and the other packetsub-matchers 940 ₂ to 940 _(i+n) may also have the same constitution.

A packet buffer 1080 stores a packet input to the packet matching engine710. The packet stored in the packet buffer 1080 includes 96-bit PacketContent and a 32-bit comparison area.

In the packet sub-matcher 940 ₁, a rule content memory 1010 of 96bits×32 bits, a rule area memory 1020 of 64 bits×32 bits, and a rulecontent mask memory 1030 of 32 bits×32 bits store rule content,comparison areas, and a rule content mask of 32 rule keys, respectively.The rule content memory 1010, the rule area memory 1020, and the rulecontent mask memory 1030 may be a buffer that receives the 32 rule keysprocessed by the packet sub-matcher 940 ₁ from a rule key memory of thepacket matching engine 710 and stores the 32 received rule keys, or apart of the rule key memory. According to an address signal from acontrol block 910, rule content, comparison areas, and a rule contentmask of one rule key may be loaded from the memories 1010, 1020, and1030.

A rule row mask and a rule column mask may be used as described above.When each of the packet matchers 920 and 930 including eight packetsub-matchers processes 256 rule keys, the rule row mask for use in eachof the packet sub-matchers 940 ₁ to 940 _(i+n) has 32 (=256/8) bits.

When an input packet is loaded, the packet sub-matcher 940 ₁ performsthe following operations on the rule keys assigned to the packetsub-matcher 940 ₁. For each rule key, a mask operation unit 1070 of thepacket sub-matcher 940 ₁ generates an expanded 96-bit rule content mask1040 using 32 bits of the rule content mask memory 1030, and performs alogical operation of masking 96-bit rule content from the rule contentmemory 1010 with the expanded rule content mask 1040. An area operationunit 1060 compares the values of the comparison areas of the rule keysstored in the rule area memory 1020 with the value of the comparisonarea of the packet stored in the packet buffer 1080, and then updatesthe dummy bits of the Packet Content in the packet buffer 1080 with theresults of the comparison. Subsequently, a content matcher 1050 performsa logical operation of comparing the rule content with the packetcontent bit by bit.

The packet stream capture unit 740 converts a packet input or outputthrough the NIC 610 into a data set in an appropriate form for matchingoperations performed in the packet matching engine 710. The conversionperformed by the packet stream capture unit 740 may include extractionof certain data from the packet. The packet stream capture unit 740provides the extracted data to the FW engine 170. The extracted data maybe data related to FW rules. Data that is not related to FW rules is notnecessarily required for matching between the packet and the FW rules,and thus may not be provided to the FW engine 170. For example, for apacket of a link layer protocol such as the Ethernet protocol, FW rulesmay be set in connection with data specified for the link layerprotocol, data specified for a network layer protocol, and/or dataspecified for a transmission layer protocol, or may be set in connectionwith data specified for an application layer protocol.

As an example, a case in which the packet stream capture unit 740receives an Ethernet frame packet is assumed. The packet stream captureunit 740 extracts data related to FW rules from an Ethernet frame. Forexample, information including a source media access control (MAC)address and a destination MAC address in a MAC header and a source IPaddress, a destination IP address, a packet version, and a protocol inan IP header is extracted from the Ethernet frame. When the Ethernetframe is in accordance with the TCP or the user datagram protocol (UDP),information including a source port and a destination port in a TCPheader or a UDP header is extracted. On the other hand, when theEthernet frame is an Internet control message protocol (ICMP) message,information including a type and a code is extracted.

With reference to FIG. 11, conversion of an Ethernet frame by the packetstream capture unit 740 will be described. In FIG. 11, the Ethernetframe includes an IPv4 packet.

When the Ethernet frame is an outgoing TCP or UDP packet, the packetstream capture unit 740 reads the Ethernet frame as the uppermost formatin FIG. 11. In this format, two dummy bits, a packet version indicatedby V, a direction bit indicating whether the Ethernet frame goes outsideor comes in from the outside, a reserved bit, a protocol indicated by P,a destination MAC address indicated by DM1 to DM6, a destination IPaddress indicated by DIP1 to DIP4, and a source IP address indicated bySIP1 to SIP4 are positioned at bits beginning with bit 0, andcontinuously followed by a destination port indicated by DP0 and asource port indicated by SP0 together with certain dummy bits. When theoutgoing Ethernet frame is an ICMP message, the destination port and thesource port are replaced by a code indicated by CO and a type indicatedby TP, respectively.

An incoming Ethernet frame also has a similar format to that describedabove. In such a format, two dummy bits, a packet version indicated byV, a direction bit indicating whether the Ethernet frame goes outside orcomes in from the outside, a reserved bit, a protocol, a source MACaddress indicated by SM1 to SM6, a source IP address, and a destinationIP address are positioned, and continuously followed by a source portand a destination port or a code and a type together with certain dummybits.

Subsequently, the packet stream capture unit 740 provides the datarelated to FW rules to the packet matching engine 710. For example, thepacket stream capture unit 740 generates a 128-bit packet key on thebasis of data that has been converted into a certain format as describedabove, and provides the generated 128-bit packet key to the packetmatching engine 710. When the Ethernet frame input to the packet streamcapture unit 740 includes an IPv6 packet, the packet stream capture unit740 may convert the input frame into a 256-bit packet key.

As described above, the packet stream capture unit 740 may rapidly parsea packet. Furthermore, the packet stream capture unit 740 may rapidlyparse a packet that is a target of URL filtering (e.g., an HTTP packet)or a file that is a target of content filtering (e.g., a document orimage file having a specific keyword/pattern).

For example, when an Ethernet frame received through the NIC 610includes a TCP packet, the packet stream capture unit 740 converts apacket of an application layer protocol including a URL part (e.g., anHTTP packet or a PPTP packet) into a simplified format appropriate forsubsequent matching, such that a URL check can be performed on anapplication layer protocol such as the HTTP or the PPTP. Since a size ofthe URL part to be checked is not fixed, the packet stream capture unit740 hashes the part corresponding to a URL filtering rule and stores thehashed part. For example, in an HTTP packet, the packet stream captureunit 740 finds a method field and a space sp following the method fieldto check a position of a URL field, and extracts a domain name and asubsequent path part from a URL part. In a similar way, also in a PPTPpacket, a length field and a message type field are masked and a magiccookie field is extracted.

The extracted URL-related part is input to the URL filter 720. FIG. 12shows a constitution of a URL filter according to an exemplaryembodiment of the present disclosure. With reference to FIG. 12, anoperation of the exemplary URL filter 720 is described. The input partis hashed by a hash processor 1220 according to an algorithm such asSHA256. For such hashing, a padding unit 1210 adds a padding bit to thepart input to the URL filter 720 according to an input block unit of thehash processor 1220, and delivers the input part to the hash processor1220. An output of the hash processor 1220 is provided to a CAM 1230 ofthe URL filter 720, and string matching is performed. When the hashedURL-related part matches a URL filtering rule of the CAM 1230, anaddress is output from the CAM 1230 through an address encoder 1240.

As another example, a packet including a file set to go outside by anapplication 630 may include a specific keyword (e.g., “confidential”) orpattern (e.g., Social Security Number). In this case, the packet streamcapture unit 740 may convert the file into an appropriate format forfiltering content used in the application layer. A detailed conversionscheme may vary according to a file, a keyword, and/or a pattern.Subsequently, the content filter 730 may perform content filtering in asimilar way to URL filtering operations of the URL filter 720. Contentfiltering in the application layer prevents the distinction and outflowof content including specific information.

The hardware-based AM system described above can be implemented invarious mobile devices, PCs, or embedded devices. On a platform providedby the AM system, an FW solution effectively blocks a malware infectionroute and allows network packets to be filtered and monitored accordingto an FW policy, and thus it is easy to fundamentally block access to amalware distribution site or a phishing site and prevent a distributeddenial of service (DDoS) attack. In addition, a filtering functionprovided on the basis of hardware can reduce a response time to packettransmission, and can be performed within an appropriate time even whenthe number of FW rules increases. Furthermore, even when a variable sizeof data from packets in accordance with a certain protocol is related toFW rules, matching of packets with FW rules can be rapidly performed onthe basis of hardware.

Meanwhile, an exemplary embodiment of the present disclosure may includea computer-readable recording medium including a program for performingthe methods described herein on a computer. The computer-readablerecording medium may separately include program commands, local datafiles, local data structures, etc. or include a combination of them. Themedium may be specially designed and configured for the presentdisclosure. Examples of the computer-readable recording medium includemagnetic media, such as a hard disk, a floppy disk, and a magnetic tape,optical recording media, such as a CD-ROM and a DVD, magneto-opticalmedia, such as a floptical disk, and hardware devices, such as a ROM, aRAM, and a flash memory, specially configured to store and performprogram commands. Examples of the program commands may includehigh-level language codes executable by a computer using an interpreter,etc. as well as machine language codes made by compilers.

In certain exemplary embodiments, certain operations for providing an FWfunction are performed at a high speed in a hardware-based FW engine,and other FW operations are implemented on a software level of aplatform including the FW engine so that various security solutions canbe provided.

In certain exemplary embodiments, a computing device having limitedresources can provide improved FW performance.

It will be apparent to those familiar with this field that variousmodifications can be made to the above-described exemplary embodimentsof the present disclosure without departing from the spirit or scope ofthe present disclosure. Thus, it is intended that the present disclosurecovers all such modifications provided they come within the scope of theappended claims and their equivalents.

What is claimed is:
 1. An anti-malware (AM) apparatus, comprising: ahardware-based firewall (FW) engine, including a packet matching engineconfigured to perform matching of a packet with a plurality of FW rules,and to generate a matching result; and an FW function module configuredto determine an action for filtering the packet on the basis of thematching result, wherein the packet matching engine includes: aplurality of rule keys derived from the plurality of FW rules; a packetkey converted from the packet; and one or more packet matchersconfigured to compare the packet key with the plurality of rule keys,wherein each of said one or more packet matchers includes a plurality ofpacket sub-matchers configured to operate in parallel, and furtherconfigured to compare a subset of the plurality of rule keys with thepacket key.
 2. The AM apparatus of claim 1, wherein: the hardware-basedFW engine further includes a packet stream capture unit; and the packetstream capture unit is configured to extract data, related to theplurality of FW rules, from the packet and to provide the extracted datato the packet matching engine.
 3. The AM apparatus of claim 2, whereinthe packet stream capture unit extracts the data from the packet so asto include data specific to at least one of a link layer protocol, anetwork layer protocol, and a transmission layer protocol.
 4. The AMapparatus of claim 2, wherein: the plurality of FW rules further includea uniform resource locator (URL) filtering rule; the hardware-based FWengine further includes a URL filter; the packet stream capture unit isfurther configured to extract a URL portion from the packet and toprovide the extracted URL portion to the URL filter; and the URL filteris configured to perform matching of the URL portion with the URLfiltering rule.
 5. The AM apparatus of claim 2, wherein: the pluralityof FW rules further include a content filtering rule; the hardware-basedFW engine further includes a content filter; the packet stream captureunit is further configured to extract at least one of a keyword and apattern, from the packet, and to provide to the content filter theextracted at least one of the keyword and the pattern; and the contentfilter is configured to perform matching of the at least one of thekeyword and the pattern with the content filtering rule.
 6. The AMapparatus of claim 1, wherein the FW function module is implemented asfirmware.
 7. The AM apparatus of claim 6, wherein the hardware-based FWengine includes a central processing unit (CPU) and a memory, andwherein the firmware implementing the FW function module is stored inthe memory.
 8. The AM apparatus of claim 1, wherein the FW functionmodule is implemented as an application, said application being executedby an external CPU in cooperation with the hardware-based FW engine. 9.The AM apparatus of claim 1, wherein the hardware-based FW engine isintegrated with a processor, and wherein the processor includes asecurity execution environment module configured to virtualize theprocessor into virtualized processors respectively corresponding to anormal mode and a security mode.
 10. The AM apparatus of claim 9,wherein a virtualized processor corresponding to the security mode isconfigured to execute an application received by the AM apparatus. 11.The AM apparatus of claim 9, further comprising a storage deviceconnected to the processor, wherein the security execution environmentmodule virtualizes the storage device into virtualized storage devicesrespectively corresponding to the normal mode and the security mode. 12.The AM apparatus of claim 11, wherein a virtualized storage devicecorresponding to the security mode stores the plurality of FW rules. 13.A method of processing a packet in an anti-malware (AM) apparatus,comprising: performing matching of the packet with a plurality of FWrules using a packet matching engine of a hardware-based firewall (FW)engine; generating a matching result; and determining, at an FW functionmodule, an action for filtering the packet on the basis of the matchingresult, wherein the performing matching of the packet includes; derivinga plurality of rule keys from the plurality of FW rules; converting apacket key from the packet; operating, in parallel, in each of one ormore packet matchers, a plurality of packet sub-matchers; and comparing,at each of said plurality of packet sub-matchers, the packet key with asubset of the plurality of rule keys.
 14. The method of claim 13,further comprising extracting, at a packet stream capture unit of thehardware-based FW engine, data related to the FW rules, from the packet,and providing the extracted data to the packet matching engine.
 15. Themethod of claim 14, wherein the extracting of the data from the packetat the packet stream capture unit is performed so as to include dataspecific to at least one of a link layer protocol, a network layerprotocol, and a transmission layer protocol.
 16. The method of claim 14,further comprising: extracting, at the packet stream capture unit, auniform resource locator (URL) portion from the packet; providing theextracted URL portion to a URL filter of the hardware-based FW engine;and matching, at the URL filter, the URL portion with a URL filteringrule of the plurality of FW rules.
 17. The method of claim 14, furthercomprising: extracting, at the packet stream capture unit, at least oneof a keyword and a pattern from the packet; providing the at least oneof the keyword and the pattern to a content filter of the hardware-basedFW engine; and matching, at the content filter, the at least one of thekeyword and the pattern with a content filtering rule of the pluralityof FW rules.
 18. The method of claim 13, wherein the FW function moduleimplemented as firmware.
 19. The method of claim 18, wherein thehardware-based FW engine includes a central processing unit (CPU) and amemory, and wherein the firmware implementing the FW function module isstored in the memory.
 20. The method of claim 13, wherein the FWfunction module implemented as an application, said application beingexecuted by an external CPU in cooperation with the hardware-based FWengine.
 21. The method of claim 13, wherein the hardware-based FW engineis integrated with a processor, and the processor includes a securityexecution environment module to virtualize the processor intovirtualized processors respectively corresponding to a normal mode and asecurity mode.
 22. The method of claim 21, wherein a virtualizedprocessor corresponding to the security mode executes an applicationusing the AM apparatus.
 23. The method of claim 21, further comprisingvirtualizing, at the security execution environment module, a storagedevice connected to the processor into virtualized storage devicesrespectively corresponding to the normal mode and the security mode. 24.The method of claim 23, wherein the plurality of FW rules are stored inthe virtualized storage device corresponding to the security mode.
 25. Acomputing device, comprising: a CPU core, and an anti-malware (AM)apparatus configured to provide a security platform on which a firewall(FW) software application is executable, wherein the AM apparatusincludes: a hardware-based FW engine including a packet matching engineconfigured to perform matching of a packet with a plurality of FW rulesand to generate a matching result; and an FW function module configuredto determine an action for filtering the packet on the basis of thematching result, wherein the packet matching engine includes: aplurality of rule keys derived from the plurality of FW rules; a packetkey converted from the packet; and one or more packet matchersconfigured to compare the packet key with the plurality of rule keys,wherein each of said one or more packet matchers includes a plurality ofpacket sub-matchers configured to operate in parallel, and furtherconfigured to compare a subset of the plurality of rule keys with thepacket key.